CVE-2022-39254

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-39254
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-39254.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-39254
Aliases
Downstream
Related
Published
2022-09-29T15:15:10Z
Modified
2025-09-19T14:07:57.320177Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

matrix-nio is a Python Matrix client library, designed according to sans I/O principles. Prior to version 0.20, when a users requests a room key from their devices, the software correctly remember the request. Once they receive a forwarded room key, they accept it without checking who the room key came from. This allows homeservers to try to insert room keys of questionable validity, potentially mounting an impersonation attack. Version 0.20 fixes the issue.

References

Affected packages

Git / github.com/matrix-nio/matrix-nio

Affected ranges

Type
GIT
Repo
https://github.com/matrix-nio/matrix-nio
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
b1cbf234a831daa160673defd596e6450e9c29f0
Type
GIT
Repo
https://github.com/poljar/matrix-nio
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
f4f7b867ca20dd31521d5381efdab426669aa232

Affected versions

0.*

0.1
0.10.0
0.11.0
0.11.1
0.11.2
0.12.0
0.13.0
0.14.0
0.14.1
0.15.0
0.15.1
0.15.2
0.16.0
0.17.0
0.18.0
0.18.1
0.18.2
0.18.3
0.18.4
0.18.5
0.18.6
0.18.7
0.19.0
0.2
0.3
0.4
0.4.1
0.5
0.6
0.7
0.7.1
0.7.2
0.8.0
0.9.0